National Security

2:27 am

Tue May 8, 2012

Bill Would Have Businesses Foot Cost Of Cyber War

Business executives and national security leaders are of one mind over the need to improve the security of the computers that control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure. But they divide over the question of who bears responsibility for that effort.

The disagreement stands as an obstacle to passage of major cybersecurity legislation backed by Sens. Joe Lieberman of Connecticut and Susan Collins of Maine, among others.

Many intelligence and security officials who worked under President George W. Bush, as well as those serving under President Obama, are backing stricter government regulation of cybersecurity, a key part of the Lieberman-Collins legislation. Business leaders, however, generally oppose those provisions.

"The major concern is the vast regulatory structure that would be set up at the Department of Homeland Security," says Larry Clinton, president of the Internet Security Alliance, an association of major U.S. companies with interests in the cybersecurity debate.

It's a concern not shared by Stewart Baker, a top cybersecurity official in the Bush administration who says he generally holds pro-business and anti-regulation views. "I see a big conflict between the desire to avoid regulation and the desire to protect national security," Baker says. "I come down on the national security side of that debate."

A War Without An Army

The cybersecurity debate is complicated by one central fact: The most critical elements of the U.S. infrastructure, from the electric grid to the telecommunications system, are generally in private hands. If a U.S. adversary attacked the computer networks that control those systems, the companies that own them would have to take care of the networks themselves. There is no national cyber army to defend them.

Government officials say the situation leaves the U.S. infrastructure vulnerable in the event of an all-out cyberwar.

At a recent cybersecurity conference organized by Bloomberg, for example, Frank Montoya, the top U.S. counterintelligence official, reminded the business people in his audience how much has changed since World War II, when the U.S. military did the fighting and private industry played only a support role.

"Let's fast forward to the 21st century," Montoya said. "We're an information-based society now. Information is everything. That makes you, as company executives, the front line — not the support mechanism, the front line — in [determining] what comes."

Cybersecurity Not In Business Model

The question raised by some security experts is whether private industry is up to the challenge. Recent research sponsored by EMC, a leading information technology firm, suggested that cyberthreats are not getting adequate attention from corporate boards and senior executives. A study by Bloomberg Government concluded that utilities, banks and other infrastructure operators may need to increase their cybersecurity spending as much as nine times to reach satisfactory levels.

Such findings have convinced many in the national security establishment that the government may need to require companies to improve their cybersecurity. The backers of tougher cybersecurity regulation include Michael McConnell, a former head of the National Security Agency and director of national intelligence under George W. Bush, as well as Michael Chertoff, President Bush's secretary of Homeland Security.

"When you've had responsibility and had to live with the possibility that tomorrow you'll wake up and on your watch something very bad has happened, you have a different view about the importance of being able to do something about it," says Stewart Baker, who was general counsel at the National Security Agency prior to serving during the Bush administration as the first assistant secretary for policy at the Department of Homeland Security.

On the other hand, national security leaders don't necessarily have much experience running a private business.

"The legally mandated role of the government is to provide for the common defense, and they're willing to spend pretty much whatever it takes to do that," says Larry Clinton of the Internet Security Alliance. "If you're in a private organization, your legally mandated responsibility is to maximize shareholder value. You can't spend just anything on the cyberthreat. You have an entirely different calculus that you have to put into effect."

Clinton agrees that companies do need to spend more on cyberdefense than they're spending now, with more resources going to new technologies, monitoring and security consultants.

Simply requiring companies to spend that money without regard for whether they can afford it, however, doesn't make sense, Clinton argues.

"Whether we like it or not, we are going to have to figure out a way to get private companies to make, on a sustainable basis, investments that are not justified by their business plans," Clinton says. "Simply telling them, 'You have to ignore your business plan,' is not a sustainable model. We have to find a way to make it economic."

A Time For Sacrifice?

Some national security leaders argue, in turn, that there have been times in U.S. history when the country has to make security investments whether they make business sense or not. The need to prepare for a massive cyberattack, they say, is such an occasion.

Larry Clinton's response: Then the government should pick up the check.

"If the government was interested in paying the private sector to do all these things, probably we would go a long way toward doing it," he says. "But the government so far, [with] the Lieberman-Collins bill, wants it all done for free. They want the businesses to simply plow that into their profit and loss statement, and the numbers are staggering. You simply can't do it."

Almost every day, we hear new warnings that critical U.S. computer networks could be taken down by foreign adversaries, cyber-criminals, maybe even terrorists. This week has brought the news that gas pipeline companies in the United States may be dealing with a round of cyber-attacks. Over the next few days, we'll be exploring how the country could improve its cyberdefense. And here's the first question: Is it up to the government to make sure that our computers are protected, or is this a job for private industry? NPR's Tom Gjelten has the story.

TOM GJELTEN, BYLINE: What makes the cybersecurity challenge so difficult is that most of the really important computer networks - the ones that control the power grid, the banking system, food distribution, water treatment - are privately owned. So, if there were a big cyber-war and the enemy went after those computers, the companies that run them would have to take care of the networks themselves. There's no national cyber-army to defend them. Government officials make that point every chance they get. Frank Montoya, the country's top counterintelligence official, speaking last month at a cybersecurity conference, reminded the businesspeople in his audience how much has changed since World War II, when the U.S. military did the fighting and private industry played only a support role.

FRANK MONTOYA: Let's fast-forward to the 21st century. We're an information-based society now. Information is everything. That makes you, as company executives, the frontline - not the support mechanism, the frontline in what comes.

GJELTEN: But is private industry up to that challenge? Recent studies suggest companies are not doing a good job protecting their networks, not spending close to what's necessary to make their computers secure. So, the big new idea: Require companies to improve their cybersecurity with the government then checking on them. It's in a bill introduced by Senators Joe Lieberman of Connecticut, Susan Collins of Maine and others. Not surprisingly, business leaders don't like it.

LARRY CLINTON: The major concern is the vast regulatory structure that would be set up at the Department of Homeland Security.

GJELTEN: Larry Clinton is president of the Internet Security Alliance, representing many companies with a stake in the cybersecurity debate. An interesting point here: The debate is not strictly partisan. The big dividing line isn't so much between Republicans and Democrats, as between the business community and the national security establishment. Stewart Baker was an assistant secretary of Homeland Security under George W. Bush. He's a Republican, and he's normally pro-business and anti-regulation, but not when it comes to cyberdefense.

STEWART BAKER: I see a big conflict between the desire to avoid regulation and the desire to protect national security. I come down more on the national security side of that debate.

GJELTEN: And he's not alone. On that same side are Mike McConnell, President Bush's director of national intelligence, and Michael Chertoff, President Bush's secretary of Homeland Security. Stewart Baker says it's no surprise that national security-types think government should require companies to do a better job protecting their computer networks.

BAKER: When you've had responsibility and had to live with the possibility that tomorrow, you'll wake up, and on your watch, something very bad has happened, you have a different view about the importance of being able to do something about it.

GJELTEN: On the other hand, national security leaders don't necessarily have much experience running a private business. Larry Clinton from the Internet Security Alliance says it's just a case of two cybersecurity perspectives.

CLINTON: The legally mandated role of the government is to provide for the common defense. And they're willing to spend pretty much whatever it takes to do that. If you are in a private organization, your legally mandated responsibility is to maximize shareholder value. You can't spend anything on any cyber-threat. You have an entirely different calculus that you have to put into effect.

GJELTEN: Clinton agrees companies do need to spend more on cyberdefense than they're spending now - more on new technology, monitoring and security consultants. But just requiring companies to spend that money without regard for whether they can afford it doesn't make sense, he says.

CLINTON: Whether we like it or not, we're going to have to figure out a way to get private companies to make, on a sustainable basis, investments that are not justified by their business plans, and simply telling them, well, you have to ignore your business plan. It's not a sustainable model. We have to find a way to make it economic.

GJELTEN: National security leaders say there are times when the country simply has to make an investment, whether it makes business sense or not. A massive cyber-attack would be devastating. OK, says Larry Clinton, so let the government pick up the check.

CLINTON: If the government was interested in paying the private sector to do all of these things, probably we would go a long way towards doing it. But the government so far - well, the Lieberman-Collins Bill - wants it all done for free. They want the businesses to simply plow that into their profit and loss statement, and the numbers are staggering. You simply can't do it.

GJELTEN: How to get private companies to do what the country needs them to do is probably the toughest question in the debate over what new cybersecurity laws are needed. But it's not the only issue. Another is how to make it easier for government and industry to share what they each know about emerging cyber-threats. Why that's so important is tomorrow's story. Tom Gjelten, NPR News. Transcript provided by NPR, Copyright NPR.